DIGITAL DATA PROTECTION AND REGULATION IN KENYA

The Kenyan General Election of 2017 highlighted some major shortcomings of the ICT sector in comparison to other countries. The overturned elections led to a call to have servers opened to authenticate the results of the presidential election. This led to a protracted court battle that saw the alleged host country where the servers were located dilly dally on complying with the court order. A number of ‘ICT experts” weighed in the issue to no avail.

The Ministry of ICT under Joe Mucheru then attempted to introduce a bill to regulate the industry and set a code of conduct. The aim of the bill is to create a licensing body for the IT industry, not only to certify ‘experts’ but also play a watchdog role. The idea is to emulate the Law Society of Kenya for Lawyers. The bill has been met with resistance from industry players who claim that this will glorify degrees over experience. Only time will tell if this Bill will ever become Law.

The New Year that is 2018 is definitely bound to bring changes. Events in Europe might push the ICT sector to form this body to regulate its members and also come up with policies that will strengthen Kenya’s position in the global digital marketplace. The European Data Protection Regulation is set to come into full effect on May 25, 2018. EU member states seek to benefit from this directive that dictates how data collected from EU residents is collected, processed and distributed.

The new Law has four key components:

SCOPE

It applies to data controllers, or organizations that collect data, process it (users on behalf of others e.g cloud service providers) and data subjects, who are EU residents. It also extends to organizations outside the EU who use or process personal data from EU residents.

SINGLE SET OF RULES

The set of rules pertains to all EU member states, with each state setting up an independent Supervisory Authority to hear complaints, set up administrative structures and implement the policy to the letter. A Data Board will also be in place to supervise all Supervisory Authorities and enhance the working relationship among the states.

RESPONSIBILITY AND ACCOUNTABILITY

Liability in the wake of a data breach will be highlighted to ensure a lot of care is taken when handling information. Retention time for personal data and contact information of data controllers and protection officers will also be clearly documented. The data controller should be able to demonstrate compliance of processing activities that aim to protect privacy.

LAWFUL BASIS FOR PROCESSING

All handling of data should follow the law by covering basics of human rights such as seeking consent from subject before use, protecting their interests and performance of tasks that are in the interest of the public

The Kenyan ICT sector is yet to gain some structure. When the deadline lapses a lot of organizations will miss out on businesses with the EU because of non compliance. European countries will identify a compliance officer, who is expected to be proficient in managing IT processes, data security and cyber attacks. Kenyan practitioners need to be able to address policy issues within their companies to be able maintain such relationships. All is not lost as there are already qualified individuals to advice on ICT policy and cyber security compliance on the global scene.

The lack of privacy experts is bound to be a major talking point as the May deadline approaches. The EU Digital Single Market Strategy aims to enhance Europe’s position as a digital economy. Kenya, the hub of sub-Saharan business needs to respond in kind. The E-Privacy regulation will mostly affect e-commerce platforms that are on the fast uptake in Kenya. Jumia, Masoko, Kilimall or any other company dealing with any form of online communication need to take note